[OpenID] Phishing resistant policy of PAPE

Eric Norman ejnorman at doit.wisc.edu
Wed Oct 29 01:49:44 UTC 2008


On Oct 28, 2008, at 8:06 PM, Breno de Medeiros wrote:

> Ok, so the scenario is:
>
> 1. Site example.com is a respectable RP that accepts only PAPE-enabled
> OPs, such as unphishable-OP.com
> 2. Site evil.com is an impostor to site example.com, and wants to get
> the user's credit card by impersonating example.com.
> 3. Site evil.com implements a fake replica of example.com (say
> examp1e.com) and uses PAPE to authenticate users via the legitimate
> OP.
> 4. User logs into site examp1e.com using the real unphishable-OP.com
> (since OP is using un-phishable authentication) and now is fairly
> confident that it is talking instead to example.com and enters the
> credit card.

That's mostly the idea, except maybe #4.  The user supplies their
credit card number to evil.com.  Is that what you were trying to say?

> The problem with that scenario is that we are already assuming that
> the user is ignoring all types of signals at examp1e.com related to,

True enough.  And the so-called phishing resistance of OpenID doesn't
change this.  I.e. it doesn't add any different signals that can't be
faked by evil.com.  That's the point;  That's why I say the phrase
is misleading.

Eric Norman




More information about the general mailing list